chore: add upgrade steps

mouraddmeiri · mouraddmeiri · commit 4a920ee4d522 · 2025-09-09T12:11:57.000Z
diff --git a/content/nap-waf/v5/admin-guide/deploy-with-helm.md b/content/nap-waf/v5/admin-guide/deploy-with-helm.md
@@ -324,10 +324,71 @@ To use the *mTLS Configuration* options, read the [Secure Traffic Between NGINX
 
 ## Upgrade the chart
 
-To upgrade the release `<release-name>`:
-```
-helm upgrade <release-name> .
-```
+1.  Login to the registry:
+
+    ```shell
+    helm registry login --username=<JWT Token> --password=none private-registry.nginx.com
+    ```
+
+1.  Pull the new version of the helm chart:
+
+    ```shell
+    helm pull oci://private-registry.nginx.com/nap/nginx-app-protect --version <release-version> --untar
+    ```
+
+1.  Change your working directory to nginx-app-protect:
+
+    ```shell
+    cd nginx-app-protect
+    ```
+
+1.  Create a new folder on the cluster machine. This folder will include all shared files and resources between pods and containers in the deployment. It will also be used for the PV binding later:
+    
+    ```shell
+    mkdir -p /mnt/nap5_bundles_pv_data/
+    chown 101:101 /mnt/nap5_bundles_pv_data/
+    ```
+
+1.  Create a new Persistent Volume for your storage. The PV will be detached from the helm deployment, and must have the name `<release-name>-shared-bundles-pv`.
+
+    Create a YAML file `pv-hostpath.yaml` with the PV file content:
+    ```yaml
+    apiVersion: v1
+    kind: PersistentVolume
+    metadata:
+      name: nginx-app-protect-shared-bundles-pv
+      labels:
+        type: local
+    spec:
+      accessModes:
+        - ReadWriteMany
+      capacity:
+        storage: "2Gi"
+      hostPath:
+        path: "/mnt/nap5_bundles_pv_data"
+      persistentVolumeReclaimPolicy: Retain
+      storageClassName: manual
+    ```
+
+    Apply the `pv-hostpath.yaml` file to create the new PV:
+    ```shell
+    kubectl apply -f pv-hostpath.yaml
+    ```
+
+1. Enable/Disable the Policy Controller pod deployment.
+
+    The Policy Controller option is enabled by default (`appprotect.policyController.enable: true`). Helm will also install the required custom resource definitions (CRDs) required by the policy controller pod.
+
+    **Important**: Before applying the Policy Controller, the required Custom Resource Definitions (CRDs) must be installed first. If the CRDs are not installed, the Policy Controller pod will fail to start and show CRD-related errors in the logs.
+
+    If you do not use the custom resources that require those CRDs (With `appprotect.policyController.enable` set to false), the installation of the CRDs can be skipped by specifying --skip-crds in your helm install command. Please also note that when upgrading helm charts, the current CRDs will need to be deleted and the new ones will be vreated as part of the helm install of the new version.
+    
+    If you wish to pull security updates from the NGINX repository (with APSignatures CRD), you should set the `appprotect.nginxRepo` value in values.yaml file.
+
+1.  Upgrade the release `<release-name>`:
+    ```
+    helm upgrade <release-name> .
+    ```
 
 ## Uninstall the chart
 
